Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009.

Slides:

Advertisements

Similar presentations

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

Advertisements

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

BINP/GCF Status Report BINP LCG Site Registration Oct 2009

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

LCG Introduction John Gordon, SFTC GDB December 2 nd 2009.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

GridPP Deployment & Operations GridPP has built a Computing Grid of more than 5,000 CPUs, with equipment based at many of the particle physics centres.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks WMSMonitor: a tool to monitor gLite WMS/LB.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

LCG Introduction John Gordon, STFC-RAL GDB September 9 th, 2008.

Overall Goal of the Project  Develop full functionality of CMS Tier-2 centers  Embed the Tier-2 centers in the LHC-GRID  Provide well documented and.

UKI ROC/GridPP/EGEE Security Mingchao Ma Oxford 22 October 2008.

LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.

Enabling Grids for E-sciencE EGEE Applications Registry Current status & latest developments Marios Chatziangelou.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The EGEE User Support Infrastructure Torsten.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operational Security Coordination Team Ian.

Reflections “from around the block.” (Security) Ian Neilson GridPP Security Officer STFC RAL.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks User traceability and log analysis tools.

LCG WLCG Accounting: Update, Issues, and Plans John Gordon RAL Management Board, 19 December 2006.

EGEE Project Review Fabrizio Gagliardi EDG-7 30 September 2003 EGEE is proposed as a project funded by the European Union under contract IST

Enabling Grids for E-sciencE EGEE Applications Registry Current status & latest developments Marios Chatziangelou.

EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.

OSG Storage VDT Support and Troubleshooting Concerns Tanya Levshina.

The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.

18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Best Practice and Training Mingchao Ma Operation.

Operations model Maite Barroso, CERN On behalf of EGEE operations WLCG Service Workshop 11/02/2006.

LCG Issues from GDB John Gordon, STFC WLCG MB meeting September 28 th 2010.

26/01/2007Riccardo Brunetti OSCT Meeting1 Security at The IT-ROC Status and Plans.

INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.

INFSO-RI Enabling Grids for E-sciencE File Transfer Software and Service SC3 Gavin McCance – JRA1 Data Management Cluster Service.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.

Open Science Grid Security Activities D. Olson, LBNL OSG Deputy Security Officer For the OSG Security Team: M. Altunay, FNAL, OSG Security Officer, D.O.,

INFSO-RI Enabling Grids for E-sciencE Operational Security Coordination Team OSCT report EGEE-4, Pisa Ian Neilson, CERN.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

LCG Introduction John Gordon, STFC-RAL GDB June 11 th, 2008.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

INFN-Grid WS, Bari, 2004/10/15 Andrea Caltroni, INFN-Padova Marco Verlato, INFN-Padova Andrea Ferraro, INFN-CNAF Bologna EGEE User Support Report.

15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK

Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL

Bob Jones EGEE Technical Director

EGI – Round table discussion

JRA3 Introduction Åke Edlund EGEE Security Head

LCG Security Status and Issues

Ian Bird GDB Meeting CERN 9 September 2003

LCG/EGEE Incident Response Planning

Long-term Grid Sustainability

The CCIN2P3 and its role in EGEE/LCG

Romain Wartel EGEE08 Conference, Istanbul, 23rd September 2008

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009

Overview Security service challenge 3 (SSC 3) Security incident handling procedure Security monitoring Security training and dissemination 16/10/2015Mingchao Ma, RAL2

SSC3 EGEE Tier1 sites have been tested twice by OSCT; Regional runs at Tier2 sites done by ROC security officers –UKI, SEE, Benelux and Italy completed Regional run at OSG done Regional run at NDGF planned 16/10/2015Mingchao Ma, RAL3

16/10/2015Mingchao Ma, RAL 4 SSC3 Result – Tier1 Sites

SSC3: Analysis All sites (besides one) improved Sites that scored good in the first run improved in the second run Sites that did not score very well in the first run improved a lot Most sites (besides one) enjoyed the opportunity to test their response capabilities and even reveal operational problems 16/10/2015Mingchao Ma, RAL 5

16/10/2015Mingchao Ma, RAL6 SSC3 Result – UKI Tier2 Sites

SSC - Plans To run a modified SSC3 –Ex: treat IP W.X.Y.Z as malicious Storage SSC –Under discussion –Some concerns on the logging capabilities of Storage middleware Re-run SSC3 on Tier2 sites 16/10/2015Mingchao Ma, RAL7

Incident Handling Security Incident Response Policy – (draft) The revised EGEE incident handling procedure –In final stage – d=0&confId=56981http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialI d=0&confId=56981 –Change of reporting channels for reporting incident for support –Specify timeframe of each steps E.g. to report incident within 4 hours after detection –Templates for reporting a incident Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure 16/10/2015Mingchao Ma, RAL8

GridPP Incident Handling Procedure Communication channel –Was –A list of security contact s –Change to: for incident alert/report/notification for discussion/support Feedback/Comments are welcome! 16/10/2015Mingchao Ma, RAL9

NGS Incident Handle Procedure 16/10/2015Mingchao Ma, RAL10 Communication channel –Was and –Change to: for incident alert/report/notification for discussion/support Feedback/Comments are welcome!

Cross-Grid Incident Handling GRID-SEC –A coordinated response to cross-grid security incidents, follows the NSP-SEC model, – –A closed mailing list hosted by NCSA, USA –To strengthen communication between a small group of experts at connected academic grids –Maximum two representatives from the same Grid infrastructure –Currently include: OSG, TeraGrid, NDGF and EGEE 16/10/2015Mingchao Ma, RAL11

Cooperation between Grid (OSCT) and NREN CSIRTs Collected a list of NREN CSIRT contacts information To participate NREN CSIRTs activities To encourage the cooperation between ROC security contact and local NREN CSIRT team(s) Also encourage the cooperation between site security contacts and their organization security/CSIRT teams Consider to become a trusted introducer? (eg. EGEE OSCT) 16/10/2015Mingchao Ma, RAL12

Security Monitoring Some SAM security tests available –CRL and file permission checks –Results only available to security contacts Port the test to the Nagios-based framework –ROC (or even project/VO) level Nagios will perform the test –Results must be encrypted, access policy defined –Focus on project/ROC level monitoring –More information can be found in EGEEIII-tasks/security-monitoring-v0.12.pdf Further security probes to be developed –Call for Nagios-based security probe Based on risk analysis and/or previous incidents 16/10/2015Mingchao Ma, RAL13

Patch Monitoring - Pakiti The Pakiti software is freely available from sourceforge – –used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC)‏ –currently being re-designed, significant changes expected during this summer Pakiti campaign –Many sites not applying security patches (vanilla SL3 distributions!), a wide range exploits exist in the wild –OSCT is establishing a Pakiti server to collect and evaluate information about the sites’patching status –we only use the “public” interface, by sending a job –any authorized user can do the same The middle-term goal is to move the Pakiti framework to Nagios 16/10/2015Mingchao Ma, RAL14

Traceability of users Tools to analyze log files –Collecting information about actions of particular user –Focused on site-level, to be performed by sysadmins –Work in progress – some “filters” already available Tools to analyze data from the L&B database –grid/VO level –Complete information about user’s activities on the grid –Intended for VO managers –Work planned, not started yet More info at – des&confId=49905http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=sli des&confId= /10/2015Mingchao Ma, RAL15

Security Training & Dissemination gLite Service reference cards – ards 16/10/2015Mingchao Ma, RAL16 gLite-AMGA - ARDA Metadata CataloggLite-AMGA glite-BDII - Berkeley Database Information Indexglite-BDII glite-CREAM_CE - gLite CREAM Computing Elementglite-CREAM_CE glite-DPM - Disk Pool Managerglite-DPM glite-FTS - File Transfer Serviceglite-FTS glite-LFC - LCG File Catalogglite-LFC gLite-LB - Logging and Bookkeeping servicegLite-LB glite-MON - Monitoring System Collector Serverglite-MON glite-PX - MyProxy serverglite-PX glite-UI - User Interfaceglite-UI glite-VOBOX - Virtual Organisation Nodeglite-VOBOX glite-VOMS - Virtual Organisation Membership Systemglite-VOMS gLite-WMS - Workload Management ServicegLite-WMS glite-WN - Worker Nodeglite-WN lcg-CE - LCG Computing Elementslcg-CE gLExec - gLExec (both for WN and CE)gLExec

Service reference cards Each service card has a “security information” section –Access control Mechanism description (authentication & authorization) –How to block/ban a user –Network Usage –Firewall configuration –Security recommendations –Security incompatibilities –List of externals (packages are NOT maintained by Red Hat or by gLite) –Other security relevant comments 16/10/2015Mingchao Ma, RAL17

Security Trainings Target system managers and administrators, NOT end users; No dedicated budget for security training; –Incorporate training into other conferences/events; Past training events –EGEE’07, 1st -5th October 2007, Budapest –EGEE’08, 22nd -26th September 2008, Istanbul –Security training at Laboratory APC, France, 2nd -3rd April 2009 –Security training at ISGC 2009, Taipei, 19th April 2009 Upcoming training events –Security workshop at RAL, UK, 1st July, 2009 –GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep –EGEE’09, September 2009, Barcelona Some ROCs are planning trainings in their regions as well 16/10/2015Mingchao Ma, RAL18

16/10/2015Mingchao Ma, RAL19

Security Page Still in very early stage, will be hosted at OSCT website Topics cover –Security policies, procedures –Security monitoring –Middleware security –OS security –Network security –Trust (CA, PKI and IGTF) –Forensics –… … TERENA training material 16/10/2015Mingchao Ma, RAL20

Question? 16/10/2015Mingchao Ma, RAL21